[lug] Broadband
Michael J. Pedersen
marvin at keepthetouch.org
Wed Aug 2 08:48:47 MDT 2000
On Tue, Aug 01, 2000 at 06:11:57PM -0600, PC Drew wrote:
> MJP> more comfortable with sendmail than with the others out there. I ONLY allow
> MJP> secure shell connections for machine level access (ie: telnet and ftp are
> MJP> completely removed from my machine and inaccessible). Even though Apache is
> great! Another SSH user!
You mean that there are other options? ;)
> 1. If you don't FULLY understand the implications of putting hooking
> your computer up to the net, at the very least use some sort of
> product that will do all of this for you.
Now this, I can agree with, up to a point. However, when it comes to fully
securing their boxes, many people are in such a don't know/don't care state of
mind that spending another $160 (which, I'll admit, is a good value for the
switch) is something that they won't do. Not until they're actually cracked,
and can see this. As an immediate answer, they can throw up a Linux firewall
which will help them out somewhat once they are cracked. It is, of course, far
from perfect though, if for no other reason than it's already too late.
> 2. This product (and others like it) don't allow you to log on to
> them and gain access to your internal network. I've got a couple of
> hosts sitting behind this router and you CANNOT reach any of them
> because you can't log in to my gateway. Even if you're the best sys
> admin in the world, if someone gains access to your box, your WHOLE
> network is compromised. Not just that machine!
>
> I misspoke in the above paragraph saying that you "cannot" reach
> any of my boxes. I'm going to leave it there to illustrate my point,
> however.
And yet, in my experience, for every single network I've ever seen, there is
that one single point of failure: Should that point become compromised. the
entire network is open. Consider the case of a firewall which requires the
use of a serial cable to connect to it for configuration. No traffic may ever
reach the firewall directly, and all traffic attempting to hit it will simply
disappear due to firewall rulesets. On the inside of this firewall, we will
have a machine which can connect to the firewall to configure it. However. it
will have no network connectivity at all, thereby removing remote
vulnerability to it. In this scenario, there are two possible points of
failure:
1) The firewall itself. Even without source code, crackers are known to be
able (and willing) to break through such things. If they happen to find a
buffer overflow exploit, they effectively gain access to the firewall itself
and, from there, your entire network.
2) The configuration computer.Should that machine be compromised in any way,
the firewall is compromised, and thus the whole network.
And therein lies the problem with security, and the proof of your statement
below: One point of failure will compromise any network, and it only takes the
one. That single point may be very well protected (and, in fact, usually is).
But that doesn't the fact:
> 3. EVERYTHING can be cracked.
That statement is 100%% true. We can only hope to secure our systems enough to
make them worthless to the crackers.
-----
Michael J. Pedersen
Get GnuPG at http://www.gnupg.org
My GnuPG Key Fingerprint: C31C 7E90 5992 9E5E 9A02 233D D8DD 985E 4E72 4A60
My GnuPG Public Key Available At: http://www.keyserver.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20000802/9868a195/attachment.pgp>
More information about the LUG
mailing list